[PATCH v2 0/5] rsa: fix dependency, rename and relocate RSASSA PSS symbols

Quentin Schulz foss+uboot at 0leil.net
Fri Oct 31 18:08:19 CET 2025 

While historically signature verification is mostly done for FIT such
FIT_SIGNATURE dependency for signature algorithm makes sense, it isn't
the only kind of file we can verify signatures of. It can also be done
manually with rsa_verify_hash() with an embedded public key.

Considering the impacted code is guarded by RSA_VERIFY, let's make the
symbol depend on that otherwise selecting it without RSA_VERIFY won't do
anything. The FIT_SIGNATURE dependency wasn't also enough before as it
only implied RSA_VERIFY.

Then, simply relocate the RSA SSA PSS padding with the other RSA symbols
in lib/rsa instead of in boot/ and rename it to remove the mention to
FIT.

Finally, add the PSS padding wherever PKCS1.5 padding is specified as
one or the other can be used.

Signed-off-by: Quentin Schulz <quentin.schulz at cherry.de>
---
Changes in v2:
- do not always enable PSS padding, the increase in size is too much,
- added patch renaming the symbol,
- added patch to fix input prompt and dependency on RSA_VERIFY,
- added patch fixing missing PSS in docstring,
- added patch to group SPL_FIT_ symbols together,
- added patch to remove duplicate VPL_FIT symbol,
- Link to v1: https://patch.msgid.link/20251029-rsa-pss-always-v1-1-ad2b652e75aa@cherry.de

---
Quentin Schulz (5):
      boot: fix incorrect dependency of FIT_RSASSA_PSS
      boot: remove duplicate config entry for VPL_FIT
      boot: group SPL_FIT symbols together
      rsa: rename FIT_RSASSA_PSS to RSASSA_PSS and move symbols under lib/rsa
      rsa: update doxygen doc for RSA signature verification to mention PSS

 boot/Kconfig              | 62 ++++++++++++++++-------------------------------
 configs/sandbox_defconfig |  2 +-
 lib/rsa/Kconfig           | 14 +++++++++++
 lib/rsa/rsa-sign.c        |  2 +-
 lib/rsa/rsa-verify.c      |  8 +++---
 tools/Kconfig             |  2 +-
 6 files changed, 42 insertions(+), 48 deletions(-)
---
base-commit: e34d01d23e45e007368685ffa6dfd674b6dd7b17
change-id: 20251029-rsa-pss-always-dbba5c57d913

Best regards,
-- 
Quentin Schulz <quentin.schulz at cherry.de>

More information about the U-Boot mailing list